elog.h

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

#ifndef __ELOG_HEADER_INCLUDED__
#define __ELOG_HEADER_INCLUDED__

/* 
 * An extended logfile is described by a single header at the start
 * of a file - it contains little more than a magic number.
 * 
 * Each alert is a variable length record comprising of:
 *  o a fixed size header
 *  o a variable number of variable length records describing
 *    each layer in the packet such as protocol name, offset 
 *    within the packet and additional data.
 *  o optional packet data
 *  o an optional variable length generator string
 *  o an optional variable length alert string
 *  o Any extra padding
 *
 * Exact structures are described below.
 *
 */

/* please to god change this magic number if you are fiddling
 * with the format - even in local development trees!! */
#define EF_MAGIC 0x656c6f67 /* "elog" */
#define EF_VERS_MAJ 0
#define EF_VERS_MIN 2

/* Extended log file header (big endian integers) */
struct efile_hdr {
	u_int32_t magic;
	u_int16_t flags;
	u_int8_t vers_major;
	u_int8_t vers_minor;
};

/* common to all types of packet */
struct elog_common_hdr {
	u_int32_t reclen;
	u_int16_t type;
	u_int8_t prio;
	u_int8_t reserved; /* must be zero */
	struct timeval ts;
};

/* Different record types */
#define ELOG_ALERT 0
struct elog_pkthdr {
	struct elog_common_hdr h;

	/* Specific to alerts */
	u_int32_t sid,rev;	/* signature id and revision */
	u_int32_t pflags;	/* packet flags */
	u_int16_t decode_len;	/* decode data length (multiples of 4) */
	u_int8_t gen_len;	/* generator length (including null) */
	u_int8_t alert_len;	/* alert length (including null) */
	u_int32_t pkt_len;	/* packet length on wire */
	u_int32_t pkt_caplen;	/* length of present captured packet */

	/* <protocol decode data> */
	/* pkt_caplen bytes of data */
	/* null terminated generator string (gen_len) */
	/* null terminated alert string (alert_len) */
	/* any extra padding */
};

/* decode data for each layer */
struct elog_dhdr {
	u_int8_t	tot_len;	/* multiples of 4 */
	u_int8_t	name_len;	/* multiples of 4 */
	u_int16_t 	pkt_ofs;
	u_int32_t	flags;
	/* null terminated protocol name */
	/* protocol private data */
};

#define ELOG_MESG 1
struct elog_mesghdr {
	struct elog_common_hdr h;
	/* NULL terminated message */
	/* padding to 4 bytes */
};

#endif /* __ELOG_HEADER_INCLUDED__ */